Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] Verifying that cve-2021-44228 (Apache Log4J / Log4Shell) does not affect openapi-generator

See original GitHub issue
Description

This is a general request for a statement. I am not a java dev but looking through the code dependencies, this project relies on slf4j for logging and not Log4J 2. Am I reading everything correctly?

openapi-generator version

Current Master version 5.3.0

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:5
  • Comments:8 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
djbreen7commented, Dec 17, 2021

Piggy-backing on this as it’s related. Creating a custom generator produces a pom.xml containing this segment indicating that it’s using Maven Surefire w/log4j.

command: openapi-generator-cli meta -n custom-generator -p com.company.custom

            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>2.12</version>
                <configuration>
                    <systemProperties>
                        <property>
                            <name>loggerPath</name>
                            <value>conf/log4j.properties</value>
                        </property>
                    </systemProperties>
                    <argLine>-Xms512m -Xmx1500m</argLine>
                    <parallel>methods</parallel>
                    <forkMode>pertest</forkMode>
                </configuration>
            </plugin>

I don’t know enough about Java to figure out which version of log4j is used. It looks like it’s only for running tests, so I don’t believe it gets included in the jar file the gets produced when packaged.

Same goal as OP. A statement would be appreciated.

1reaction
timbedardcommented, Dec 16, 2021

Scanning with log4j-detect yields a positive result:

Scanning ../OpenAPITools/openapi-generator for vulnerabilities...

Manifest: ../OpenAPITools/openapi-generator/modules/openapi-generator/src/main/resources/scala-gatling/build.gradle
Vulnerable Paths:
|-- org.scala-sbt:zinc_2.12:1.3.5
|  |-- org.scala-sbt:zinc-compile-core_2.12:1.3.5
|  |  |-- org.scala-sbt:util-logging_2.12:1.3.0
|  |  |  |-- org.apache.logging.log4j:log4j-core:2.11.2 Vulnerable

Manifest: ../OpenAPITools/openapi-generator/samples/client/petstore/scala-httpclient/build.gradle
Vulnerable Paths:
|-- org.scala-sbt:zinc_2.12:1.3.5
|  |-- org.scala-sbt:zinc-compile-core_2.12:1.3.5
|  |  |-- org.scala-sbt:util-logging_2.12:1.3.0
|  |  |  |-- org.apache.logging.log4j:log4j-core:2.11.2 Vulnerable

Manifest: ../OpenAPITools/openapi-generator/samples/client/petstore/scala-gatling/build.gradle
Vulnerable Paths:
|-- org.scala-sbt:zinc_2.12:1.3.5
|  |-- org.scala-sbt:zinc-core_2.12:1.3.5
|  |  |-- org.scala-sbt:util-logging_2.12:1.3.0
|  |  |  |-- org.apache.logging.log4j:log4j-core:2.11.2 Vulnerable


One or more of your projects contain the log4j CVE-2021-44228 or CVE-2021-45046 exploit.

Remediation steps:
	* Upgrade to version org.apache.logging.log4j:log4j-core:2.16.0

Learn more about the vulnerability and it's remediation:
https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cve-2021-44228/

©WhiteSource
Read more comments on GitHub >

github_iconTop Results From Across the Web

Guidance for preventing, detecting, and hunting for ... - Microsoft
The remote code execution (RCE) vulnerabilities in Apache Log4j 2 referred to as “Log4Shell” (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) ...
Read more >
Exploiting, Mitigating, and Detecting CVE-2021-44228: Log4j ...
The CVE-2021-44228 is a CRITICAL vulnerability that allows attackers to execute arbitrary code on a machine. Updating log4j to 2.16.0.
Read more >
Apache JSPWiki Log4Shell Direct Check (CVE-2021-44228)
The version of Apache JSPWiki running on the remote web server is affected by a remote code execution vulnerability in the bundled Apache...
Read more >
Simulating and Preventing CVE-2021-44228 Apache Log4j ...
In this blog, the CVE-2021-44228 Apache Log4j vulnerability, Log4j exploit payload examples, simulation and remediation of Log4j attacks are ...
Read more >
Known Issue for CVE-2021-44228 - PaperCut
Hitting a problem with your PaperCut implementation? You might not be alone! ... Log4j RCE vulnerability 'Log4Shell' (CVE-2021-44228). 21.0 and later.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

dart-dio-next: DioError [DioErrorType.other]: FormatException: Invalid HTTP header field value

Next page

Generated code for angular seems wrong in 5.3.0 and not working comparing to v.5.1.1